Recording Remote Vendor Access - SSL VPN Gateway Sessions

8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions

http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 1/7

`

Remote Vendor Monitoring

Recording Secure Remote Access SSL VPN Gateway Sessions

An ObserveIT Whitepaper

Daniel Petri

March

© Copyright 2008 ObserveIT



Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com

Table of Contents

Executive Summary .............................................................................................................................. 2

The Need for Centralized Remote Access .............................. ................................ ...................... .......... 2

Establishing Remote Connections ......................................................................................................... 2

Securing the Remote Access Sessions ................................................................................................... 3

Protecting the Internal Network ........................................................................................................... 4

Using Microsoft TS Gateway ................................................................................................................. 5

Monitoring User Activity .......................... ............................... ...................... ................................ ........ 5

Real Time Monitoring and Integration with Management Tools ............................. ....................... ........ 6

`User Identification ............................................................................................................................... 7

Conclusion ............................................................................................................................................ 7

Benefits of this solution include: ....................... ................................ ...................... .............................. 7

About ObserveIT................................................................................................................................... 7

Executive Summary

In the following article, I will demonstrate how to

Record Secure Remote Access SSL VPN Gateway

Sessions, using Terminal Services/ in conjunction

with ObserveIT. In this deployment, all secure

remote access SSL VPN sessions are routed through

one or more central remote access gateways, with

secondary remote desktop sessions serving as the

method to access internal Windows or UNIX

servers and other network devices. All sessions

through the Secure Remote Access SSL VPN

Gateway are fully audited and recorded. This

recorded session allows Auditors and IT managers

to have a full visual audit trail of all secure remote

accesses SSL VPN connections; identify the source

of each secured remote access connection; and

view a step-by-step replay of the actions taken and

applications accessed on these machines.

This whitepaper covers the following topics:

1. Setting up a Windows Terminal Gateway

Server

2. Secure communication to the Gateway using

SSL VPN Gateway

3. Audit, Alert and Replay all Recorded Sessions

performed on the Gateways

The Need for Centralized Remote

Access

In today's complex network and IT environments,

more and more people need access to corporateservers, applications, databases and management

tools. While trying to minimize human intervention

with these critical services, IT managers need to

consider how to allow the remote access and

management of these services: Who to allow

access; How to secure and audit access; How to

record all actions that are performed on these

servers.

The continuous need to control budgets by

decreasing operational costs and maintenance fees

has led many large and medium corporations to

using external consultants and outsourcing services

while minimizing internal IT departments.

Establishing Remote Connections

In order to mitigate this risk, a leading approach to

enabling remote connections is to create a secure




remote access deployment, in which all remote

connections go through one or more terminal or

citrix gateway servers. All vendors and remote

administrators will initiate an remote desktop

RDP/ICA Session to these servers, where they will

be authenticated and, if authorized, granted access

to either the entire desktop, or to a subset of published applications that are to be used for

management purposes.

The first component of such a solution is the actual

remote access mechanism. Here, we have a few

options to consider. The decision on what remote

access solution to chose is closely related to

security concerns, corporate policy, budget and

number of concurrent connections.

Using regular RDP connections from the external

world through your corporate Firewall is probably

the easiest option to deploy. However, it is also the

most unsecure method when compared to the

other options. RDP packets travel across the

Internet as regular packets, and unless the built-in

encryption capabilities of Terminal Server are also

employed, this will not provide adequate security

for the connection. Furthermore, unless using

some sort of remote access control mechanism

(such as a Firewall that has authentication

capabilities), the only barrier that will prevent a

malicious user from entering the network is the

Terminal Server Windows Authentication prompt.

Securing the Remote Access

Sessions

In order to add an additional layer of security to

such connections, we will need to deploy some sort

of remote access solution prior to the actual

connection to the Terminal Server itself. Optionsfor securing remote access include:

• IPSec, L2TP or PPTP-based VPN connections

through Microsoft Windows Server 2003/2008

RRAS, by using Microsoft ISA Server, or by

using leading 3rd-party solutions from

vendors such as Cisco and Checkpoint

SSL VPN connections by using appliances such as

Juniper SSL VPN, Cisco SSL VPN, Check Point

Connectra and others, or by using MicrosoftWindows Server 2008 SSTP

• Microsoft Windows Server 2008 TS Gateway

connections

The benefits of using VPN-type remote access

include the fact that the connection is strongly

encrypted, adding extra security encapsulation to

each packet. VPN enables the protection against

unauthorized access because prior to gaining

access to the actual remote management gateway,

users are forced to authenticate themselves with

their credentials or token, and only then they will

be granted access to the gateway. On the other

side, in most VPN products, an additional cost is




incurred because of the need to deploy VPN

servers and extra authentication systems.

Using SSL VPN adds the ability to use SSL-based

encryption, which easily passes through most

firewalls without the need to open specific ports.

SSL VPN makes it easier for remote workers to

connect because it usually does not involve any

additional software installation on the client side,

and is usually initiated from an easy-to-use web

browser. This makes such connections ideal for

usage on public computers such as the ones found

in hotel lobbies and conference centers.

It is worth noting that in most scenarios, SSL VPN is

preferred for remote access to those applications

that are browser-based (i.e., have a web-based

user interface), while IPSec VPN will be used

principally for site-to-site communications (rather

than individual client remote access).

Using the new SSTP capabilities of Microsoft

Windows Server 2008 can help to further reduce

costs associated with using 3rd-party solutions.

Protecting the Internal Network

An additional issue that is brought up when

discussing remote management scenarios is the

concern of controlling what type of traffic can be

passed through these VPN connections, and what

type of remote computers can actually connect to

the corporate network. Often, these un-managed

computers might not be fully patched against

security vulnerabilities, not have an up-to-date

anti-virus product, or not have their personal

firewall turned on. This raises many security issues

especially when considering the fact that these

computers might be using a VPN tunnel type of

connection, which in fact is very much like actuallyconnecting them to the corporate network.

Furthermore, after successfully connecting to the

corporate network, these computers might initiate

a type of connection to internal resources that is

out of scope for the type of required connection. In

order to mitigate these risks there is need to

implement a mechanism that will quarantine these

computers until they provide proof of being fully

patched and up-to-date. These types of quarantine

systems can be achieved by using 3rd-partyNetwork Admission Control (NAC) capabilities of

VPN appliances such as those provided by Juniper,

Check Point or Cisco, or by implementing the built-

in Network Access Protection (NAP) found in

Microsoft Windows Server 2008.

In order to control exactly what type of traffic is

passed through the VPN connection, there is need

to either deploy smart appliances such as those

provided by Check Point, Cisco, Juniper orMicrosoft (with their IAG product), or to place an

additional firewall behind the VPN server that will

scan the un-encrypted inbound traffic.




Using Microsoft TS Gateway

In addition, using the new capabilities of Microsoft

Windows Server 2008 TS Gateway provides further

protection of RDP traffic by encapsulating it into

SSL packets – much like SSL VPN, but without the

need to deploy special VPN servers.

The benefit of using the TS Gateway capabilities of

Microsoft Windows Server 2008 is that remote

users will only be granted access to the internal

servers based upon a strict policy that can be

enforced on the TS Gateway, and when combined

with the NAP capabilities of the system, will only

allow connection of computers that fully meet the

security requirements set by the administrator.

This scenario employs a number of components.

These include the TS Gateway server, a firewall,

one or more Domain Controllers, a NAP server and

a Network Policy Server (NPS is Microsoft's

implementation of a RADIUS server). The TS

Gateway authenticates the client by collecting the

user's credentials and checking them against the TS

Gateway Remote Access Policy. It then

authenticates against the Domain Controller and

performs a security validation as required by the

NAP server and its policies. Only when all checks

are fully successful, it passes the RDP traffic

inwards, towards the remote management

gateway server.

Monitoring User Activity

In the scenario outlined above, all remote access

connections are indeed secured, and only

authorized personnel can connect to the corporate

servers.

However, the question of knowing exactly what

vendors do once connected remains unanswered.

This leaves a gaping hole in the corporate security

and compliance: Once vendors connect to the

remote management gateway server, in theory

they can perform other actions, including opening

full Remote Desktop connections to other remote

servers. A mechanism is needed that gives IT

Managers the full confidence that comes with

knowing exactly who connected, what they did

while connected, and what applications or system

tasks have been used or opened.

Many server-based applications have varying

degrees of built-in auditing or logging, including

extended diagnostic logging. However, auditing

and logging only show cryptic log traces, not actual

human actions. Auditing and logging may be of usefor debugging an error, but security and regulatory

issues create a need for to know exactly what users

are doing while logged onto the Terminal Servers.

By using the recording and auditing capabilities of

ObserveIT, IT Managers receive a clear and concise

answer to these questions.




Built specifically for enterprise-wide deployments,

ObserveIT gives full control and insight into the

actions done by external vendors and specialists

that were hired to perform a specific task, as well

as by local IT personnel and power users. ObserveIT

records all human activities on monitored servers,

both with exact visual recording as well as withdetailed metadata. Visual recording allows

replaying of every user session and understanding

of what exactly was performed on the monitored

servers, who did it, and what applications where

accessed.

In the above deployment scenario, ObserveIT is

deployed on each remote management Terminal

Server. Built-in server-based policies are configured

to trigger recording of all relevant activity

performed by external vendors. ObserveIT

configuration is also specified to only record the

management applications that are published on

the remote management Terminal Server.

Real Time Monitoring and

Integration with Management

Tools

By capturing metadata in addition to visual

screenshots, ObserveIT provides an abundance of`

information about what is seen on the screen, the

user performing the action, the remote computer's

name and IP, date, time, application executable

name, windows title and more. All this information

is stored alongside the screenshots, allowing

flexible searching capabilities and enterprise-scale

management, allowing rules-based searching

without the need to replay screen-by-screen

activity.

Another feature of ObserveIT is its capability to

also create textual log files for monitoring

purposes. These files are stored on the server’s

hard disk, and can be parsed by 3rd-party tools

such as Microsoft System Center Operation

Manager 2007, generating events or alerts based

upon information written in them.



Whitepaper: Remove Vendor Monitoringwww observeit sys com

User Identification

ObserveIT's Identification Services are integrated

with the Active Directory database. This service

forces users to identify themselves before gaining

access to a server desktop or published application.

After completing the Windows logon process, the

users will be prompted with the secondary

ObserveIT logon window, where they will be forced

to enter their own personal username and

password. This allows us to distinguish specific

users, even when logging in using a ‘generic’

"Administrator" account.

Conclusion

Security and Regulatory issues force many IT

Managers to seek a solution for vendors and

external administrators access their networks

remotely. By using a centralized remote

management gateway approach, we achieve a

more secure implementation for such remote

access needs, and by integrating these solutions

with ObserveIT, the recording of all human actions

and management tasks is easy to collect and

monitor. ObserveIT's advanced indexing

capabilities, combined with video replay of screen

activity, allows the IT Manager to keep a finger on

the pulse of remote access activity, in accordance

with security and regulatory requirements.

Benefits of this solution include:

• Accountability of all activities performed by a

Service Organization

• Processes that link each system access to a

identifiable individual user

• Reduced cost involved in generatingCompliance Reports: Less effort, with faster

turnaround time

• Unequivocal proof of user activity,

guaranteeing authentication and non-

repudiation

About ObserveIT

ObserveIT is an innovator and leader in Terminal,

Citrix and Console session recording, with solutions

for Windows, Desktop and Virtual Machine

environments.

ObserveIT software visually records and replays all

user sessions, providing detailed insight into all

activities on the network.

Founded in 2006, ObserveIT has a worldwide

customer base that spans many industry segments,

including financial, insurance, healthcare,

manufacturing, telecommunications, government

and IT services.

Recording Remote Vendor Access - SSL VPN Gateway Sessions

Documents

Transcript of Recording Remote Vendor Access - SSL VPN Gateway Sessions